History/Background

The Sansa Connect is designed by Zing System Inc. (part of Dell), who showed off a WIFI device for listening to streaming radio stations, without any onboard storage. A prototype device was announced, but never put into production. Screenshots of the time show a similar UI design to the current Sansa Connect.

The Sansa Connect has 4Gb of onboard flash storage, as well as a Micro-SD slot, capable of using SDHC cards in the newer firmware versions.

Rockbox Status

There is a Sansa Connect Rockbox port in progress. Bootloader can boot both OF (by holding PREV button) and Rockbox. There is no software-only installation method available. To get unsigned code loading it is required to do hardware modification.

Current Rockbox bootloader is supposed to work as replacement for vmlinux. After building bootloader, prepend resulting bootloader.bin file with .srr header

AA BB FF EE 00 00 00 01 10 00 12 00 FI LE SI ZE

where FILESIZE is bootloader.bin file size + 2048 (signature) coded in LE. Then from OF shell overwrite /dev/mtd2 with created file (don't use Recovery Mode as we don't have method yet to remove recoverzap bootloader variable which would result in recovery screen again on next boot).

Booting is quite slow due to bootloader checking signatures (the hardware modification only makes the file to be always accepted, the SHA-1 sum is still computed).

There is possibility to overwrite OF bootloader - if you are risky enough, edit firmware/target/arm/tms320dm320/boot.lds and change FLASH_OFFSET to 0, rebuild bootloader and then using hardware modification method flash the new bootloader (don't append srr header). WARNING: this has not been tested by anyone, we may still be missing some critical initialization (which would mean hard to recover brick).

The HID handles external devices - it is interfaced to the CPU via its built SPI interfase, clocked at 200 KHz.

This device is initialized on boot - the firmware loaded on it is located on /lib/clicky165.bin. The Fuse high byte register is set to 0xd1 (OCD and JTAG enabled, watchdog always on, uses reset vector), while the fuse low byte is set to 0xC2 (divide clock by 8, enable clock output, use clock source 1).

Once programmed, it accepts commands (via SPI) which are defined in /usr/include/hidif.lu. These are used to control & query external devices:

This device is read by the /bin/setupenv script - it retrieves both deviceid and MAC address and loads them into the $deviceid and $mac environment variables, respectively. Other environment variables (/etc/setupenv) are:

Recovery Mode

Recovery Mode can be reached by completely powering down the device (by holding off for 10 seconds). Holding the volume-up and right keys while powering the device back on switch it to recovery mode. In recovery mode the device uses different USB IDs (0781:7481 and 0781:7482, vs 0781:7480 in normal operation) - if installed under Windows the Sansa Connect Device Recovery software will automatically launch when a Connect in recovery mode is connected.

USB ID 0781:7481 is used for writing .SRR files to Flash, while 0781:7482 acceses the "Zaprecover" service (complete with a kernel module!!!), which handles dumping files to the filesystem.

Once linux is loaded, recovery mode is signaled by a persistent variable ("recoverzap") stored in flash. This flag is only removed after a sucessful recovery operation, so there's no way to exit recovery mode once entered without running the recovery operation (and therefore wiping the unit) with the stock initrd file.

Recovery sequence

Turn off the device completely (hold power key for 10 seconds)

Turn the device on while holding volume-up and the right button (above the wheel)

The device will boot showing a "recovery needed" indicator. On this mode the device exposes the USB ID 0781:7481, which zsi_fw.exe communicates to. This is NOT handled by linux - so it's either the linux bootloader or maybe even a previous instance of software. This mode is persistent after reboot.

Once the USB cable is connected the indicator is changed to "recovery in progress".

After a suceessful firmware load with zsi_fw.exe, the device will attempt to boot the vmlinux image (after a small delay). If the device reboots to recovery mode something went wrong with the firmware load. otherwise Linux will boot correctly and go to recovery mode, exposing the USB ID 0781:748 (Zaprecover service) and displaying a "starting recovery" message (with a yellow clock on top). How the device determines it has to go into recovery mode after boot is unclear - most likely it's because the flash filesystem is wiped after a firwmare write.

Once a platform load is started with zaprecover.exe the message changes to_"receiving software"_.

Once finished, the message now changes to "verifying software" (signature check), then "installing software" (a message reading _"can't find image_" might flash briefly). The device proceeds now to extract the platform into the filesystem.

After a small delay, if everything went ok the device should now reboot to the familiar Sansa loading screen (with the five color balls).

ZAP recovery service

Once linux is loaded, on recovery mode the device loads a kernel module called "zaprecover" (/bin/usb_switch_zaprecover), listening on 0781:7482. The driver is interfaced with /usr/bin/zsi_zap, which tells the module how many files to expect and where to store them. On recovery mode, it waits for both the platform file and signature to be sent, in that order (/etc/rc.recover):

/usr/bin/zsi_zap -f /disk/zap/ZAP.tar.gz -f /disk/zap/ZAP.tar.gz.sig

The device won't leave recovery mode unless both files are downloaded correctly and the signature is checked. The data protocol used by the zaprecover service is still uknown, but the source for it is freely readable on the kernel patch.

Software

Software/Hardware hacking

It is possible to replace the internal iNAND with microSD card - which allows to change the platform to for example start telnet.
Tips:
after connecting via wireless, stop WiFiThread? to prevent disconnection due to inactivity, this can be achieved by checking the thread pid cat /var/tmp/native_thread_map, and then sending SIGSTOP to it(kill -s SIGSTOP pid).

JTAG

There is JTAG on the PCB. Hirose Electric FH19SC?-16S-0.5SH(05) connector matches the footprint.

There are broken links in the PDF to the Sansa site to download modified source versions of the GPL licensed software. Instead these downloads are available from the Zing site, substituting zing.net for sandisk.com in the links: busybox, GPG, Linux, Mono, resample and Uclibc. Also attached is a diff created against the vanilla 2.6.4 kernel release.